summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-11-13 10:51:14 +1100
committerAndrew Bartlett <abartlet@samba.org>2009-11-13 23:19:05 +1100
commit4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608 (patch)
treeca189d440b0a298cdcb3769d994828508dcd2e76 /source4/heimdal/kdc
parent5bc87c14a1f5b45ed86e7ff9663f5f0aa2f70094 (diff)
downloadsamba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.tar.gz
samba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.tar.bz2
samba-4f8ba5ad6ac9b7153b0e13654e59f47e67b3f608.zip
s4:heimdal: import lorikeet-heimdal-200911122202 (commit 9291fd2d101f3eecec550178634faa94ead3e9a1)
Diffstat (limited to 'source4/heimdal/kdc')
-rw-r--r--source4/heimdal/kdc/kerberos5.c57
-rw-r--r--source4/heimdal/kdc/krb5tgs.c166
-rw-r--r--source4/heimdal/kdc/kx509.c37
-rw-r--r--source4/heimdal/kdc/misc.c5
-rw-r--r--source4/heimdal/kdc/pkinit.c88
-rw-r--r--source4/heimdal/kdc/windc.c2
-rw-r--r--source4/heimdal/kdc/windc_plugin.h1
7 files changed, 207 insertions, 149 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 0a9d4a5ca4..fb88aa9f8f 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -261,6 +261,7 @@ _kdc_encode_reply(krb5_context context,
krb5_enctype etype,
int skvno, const EncryptionKey *skey,
int ckvno, const EncryptionKey *reply_key,
+ int rk_is_subkey,
const char **e_text,
krb5_data *reply)
{
@@ -272,8 +273,9 @@ _kdc_encode_reply(krb5_context context,
ASN1_MALLOC_ENCODE(EncTicketPart, buf, buf_size, et, &len, ret);
if(ret) {
- kdc_log(context, config, 0, "Failed to encode ticket: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to encode ticket: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
if(buf_size != len) {
@@ -286,8 +288,9 @@ _kdc_encode_reply(krb5_context context,
ret = krb5_crypto_init(context, skey, etype, &crypto);
if (ret) {
free(buf);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
@@ -301,8 +304,9 @@ _kdc_encode_reply(krb5_context context,
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret) {
- kdc_log(context, config, 0, "Failed to encrypt data: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to encrypt data: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
@@ -311,8 +315,9 @@ _kdc_encode_reply(krb5_context context,
else
ASN1_MALLOC_ENCODE(EncTGSRepPart, buf, buf_size, ek, &len, ret);
if(ret) {
- kdc_log(context, config, 0, "Failed to encode KDC-REP: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
if(buf_size != len) {
@@ -323,9 +328,10 @@ _kdc_encode_reply(krb5_context context,
}
ret = krb5_crypto_init(context, reply_key, 0, &crypto);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
free(buf);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
if(rep->msg_type == krb_as_rep) {
@@ -341,7 +347,7 @@ _kdc_encode_reply(krb5_context context,
} else {
krb5_encrypt_EncryptedData(context,
crypto,
- KRB5_KU_TGS_REP_ENC_PART_SESSION,
+ rk_is_subkey ? KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : KRB5_KU_TGS_REP_ENC_PART_SESSION,
buf,
len,
ckvno,
@@ -351,8 +357,9 @@ _kdc_encode_reply(krb5_context context,
}
krb5_crypto_destroy(context, crypto);
if(ret) {
- kdc_log(context, config, 0, "Failed to encode KDC-REP: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to encode KDC-REP: %s", msg);
+ krb5_free_error_message(context, msg);
return ret;
}
if(buf_size != len) {
@@ -980,8 +987,9 @@ _kdc_as_rep(krb5_context context,
ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT | flags, &clientdb, &client);
if(ret){
- kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name, msg);
+ krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
@@ -990,8 +998,9 @@ _kdc_as_rep(krb5_context context,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
NULL, &server);
if(ret){
- kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name, msg);
+ krb5_free_error_message(context, msg);
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
@@ -1135,8 +1144,9 @@ _kdc_as_rep(krb5_context context,
try_next_key:
ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
if (ret) {
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
free_EncryptedData(&enc_data);
continue;
}
@@ -1154,6 +1164,8 @@ _kdc_as_rep(krb5_context context,
*/
if(ret){
krb5_error_code ret2;
+ const char *msg = krb5_get_error_message(context, ret);
+
ret2 = krb5_enctype_to_string(context,
pa_key->key.keytype, &str);
if (ret2)
@@ -1161,9 +1173,8 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
- client_name,
- str ? str : "unknown enctype",
- krb5_get_err_text(context, ret));
+ client_name, str ? str : "unknown enctype", msg);
+ krb5_free_error_message(context, msg);
free(str);
if(hdb_next_enctype2key(context, &client->entry,
@@ -1757,7 +1768,7 @@ _kdc_as_rep(krb5_context context,
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, setype, server->entry.kvno,
&skey->key, client->entry.kvno,
- reply_key, &e_text, reply);
+ reply_key, 0, &e_text, reply);
free_EncTicketPart(&et);
free_EncKDCRepPart(&ek);
if (ret)
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index c3b0aaa89e..4f587cf1b6 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -671,6 +671,8 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
+ const krb5_keyblock *replykey,
+ int rk_is_subkey,
const EncryptionKey *serverkey,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
@@ -823,10 +825,14 @@ tgs_make_reply(krb5_context context,
unsigned int i = 0;
/* XXX check authdata */
+
if (et.authorization_data == NULL) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, "malloc: out of memory");
- goto out;
+ et.authorization_data = calloc(1, sizeof(*et.authorization_data));
+ if (et.authorization_data == NULL) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, "malloc: out of memory");
+ goto out;
+ }
}
for(i = 0; i < auth_data->len ; i++) {
ret = add_AuthorizationData(et.authorization_data, &auth_data->val[i]);
@@ -927,7 +933,8 @@ tgs_make_reply(krb5_context context,
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, et.key.keytype,
kvno,
- serverkey, 0, &tgt->key, e_text, reply);
+ serverkey, 0, replykey, rk_is_subkey,
+ e_text, reply);
if (is_weak)
krb5_enctype_disable(context, et.key.keytype);
@@ -988,8 +995,9 @@ tgs_check_authenticator(krb5_context context,
/* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
if(buf_size != len) {
@@ -1001,9 +1009,10 @@ tgs_check_authenticator(krb5_context context,
}
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
free(buf);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
ret = krb5_verify_checksum(context,
@@ -1015,9 +1024,10 @@ tgs_check_authenticator(krb5_context context,
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
- "Failed to verify authenticator checksum: %s",
- krb5_get_err_text(context, ret));
+ "Failed to verify authenticator checksum: %s", msg);
+ krb5_free_error_message(context, msg);
}
out:
free_Authenticator(auth);
@@ -1077,7 +1087,9 @@ tgs_parse_request(krb5_context context,
const struct sockaddr *from_addr,
time_t **csec,
int **cusec,
- AuthorizationData **auth_data)
+ AuthorizationData **auth_data,
+ krb5_keyblock **replykey,
+ int *rk_is_subkey)
{
krb5_ap_req ap_req;
krb5_error_code ret;
@@ -1087,16 +1099,20 @@ tgs_parse_request(krb5_context context,
krb5_flags verify_ap_req_flags;
krb5_crypto crypto;
Key *tkey;
+ krb5_keyblock *subkey = NULL;
+ unsigned usage;
*auth_data = NULL;
*csec = NULL;
*cusec = NULL;
+ *replykey = NULL;
memset(&ap_req, 0, sizeof(ap_req));
ret = krb5_decode_ap_req(context, &tgs_req->padata_value, &ap_req);
if(ret){
- kdc_log(context, config, 0, "Failed to decode AP-REQ: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to decode AP-REQ: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1115,14 +1131,15 @@ tgs_parse_request(krb5_context context,
ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, NULL, krbtgt);
if(ret) {
+ const char *msg = krb5_get_error_message(context, ret);
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = "<unparse_name failed>";
krb5_free_principal(context, princ);
kdc_log(context, config, 0,
- "Ticket-granting ticket not found in database: %s: %s",
- p, krb5_get_err_text(context, ret));
+ "Ticket-granting ticket not found in database: %s: %s", msg);
+ krb5_free_error_message(context, msg);
if (ret == 0)
free(p);
ret = KRB5KRB_AP_ERR_NOT_US;
@@ -1184,8 +1201,9 @@ tgs_parse_request(krb5_context context,
krb5_free_principal(context, princ);
if(ret) {
- kdc_log(context, config, 0, "Failed to verify AP-REQ: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to verify AP-REQ: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1219,41 +1237,49 @@ tgs_parse_request(krb5_context context,
goto out;
}
- if (b->enc_authorization_data) {
- unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
- krb5_keyblock *subkey;
- krb5_data ad;
+ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
+ *rk_is_subkey = 1;
- ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
- if(ret){
- krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0, "Failed to get remote subkey: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- if(subkey == NULL){
- usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
- ret = krb5_auth_con_getkey(context, ac, &subkey);
- if(ret) {
- krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0, "Failed to get session key: %s",
- krb5_get_err_text(context, ret));
- goto out;
- }
- }
- if(subkey == NULL){
+ ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
+ if(ret){
+ const char *msg = krb5_get_error_message(context, ret);
+ krb5_auth_con_free(context, ac);
+ kdc_log(context, config, 0, "Failed to get remote subkey: %s", msg);
+ krb5_free_error_message(context, msg);
+ goto out;
+ }
+ if(subkey == NULL){
+ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
+ *rk_is_subkey = 0;
+
+ ret = krb5_auth_con_getkey(context, ac, &subkey);
+ if(ret) {
+ const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0,
- "Failed to get key for enc-authorization-data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ kdc_log(context, config, 0, "Failed to get session key: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
+ }
+ if(subkey == NULL){
+ krb5_auth_con_free(context, ac);
+ kdc_log(context, config, 0,
+ "Failed to get key for enc-authorization-data");
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+
+ *replykey = subkey;
+
+ if (b->enc_authorization_data) {
+ krb5_data ad;
+
ret = krb5_crypto_init(context, subkey, 0, &crypto);
- krb5_free_keyblock(context, subkey);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
ret = krb5_decrypt_EncryptedData (context,
@@ -1377,6 +1403,8 @@ tgs_build_reply(krb5_context context,
KDC_REQ_BODY *b,
hdb_entry_ex *krbtgt,
krb5_enctype krbtgt_etype,
+ const krb5_keyblock *replykey,
+ int rk_is_subkey,
krb5_ticket *ticket,
krb5_data *reply,
const char *from,
@@ -1495,7 +1523,7 @@ server_lookup:
NULL, &server);
if(ret){
- const char *new_rlm;
+ const char *new_rlm, *msg;
Realm req_rlm;
krb5_realm *realms;
@@ -1543,9 +1571,10 @@ server_lookup:
}
krb5_free_host_realm(context, realms);
}
+ msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
- "Server not found in database: %s: %s", spn,
- krb5_get_err_text(context, ret));
+ "Server not found in database: %s: %s", spn, msg);
+ krb5_free_error_message(context, msg);
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
@@ -1554,7 +1583,7 @@ server_lookup:
ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
&clientdb, &client);
if(ret) {
- const char *krbtgt_realm;
+ const char *krbtgt_realm, *msg;
/*
* If the client belongs to the same realm as our krbtgt, it
@@ -1574,8 +1603,9 @@ server_lookup:
goto out;
}
- kdc_log(context, config, 1, "Client not found in database: %s: %s",
- cpn, krb5_get_err_text(context, ret));
+ msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 1, "Client not found in database: %s", msg);
+ krb5_free_error_message(context, msg);
}
/*
@@ -1656,9 +1686,11 @@ server_lookup:
client, server, ekey, &tkey->key,
tgt, &rspac, &signedpath);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
"Verify PAC failed for %s (%s) from %s with %s",
- spn, cpn, from, krb5_get_err_text(context, ret));
+ spn, cpn, from, msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1671,9 +1703,11 @@ server_lookup:
&spp,
&signedpath);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
"KRB5SignedPath check failed for %s (%s) from %s with %s",
- spn, cpn, from, krb5_get_err_text(context, ret));
+ spn, cpn, from, msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1709,10 +1743,11 @@ server_lookup:
ret = krb5_crypto_init(context, &tgt->key, 0, &crypto);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
free_PA_S4U2Self(&self);
krb5_data_free(&datack);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
- krb5_get_err_text(context, ret));
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1725,10 +1760,11 @@ server_lookup:
krb5_data_free(&datack);
krb5_crypto_destroy(context, crypto);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
free_PA_S4U2Self(&self);
kdc_log(context, config, 0,
- "krb5_verify_checksum failed for S4U2Self: %s",
- krb5_get_err_text(context, ret));
+ "krb5_verify_checksum failed for S4U2Self: %s", msg);
+ krb5_free_error_message(context, msg);
goto out;
}
@@ -1866,11 +1902,13 @@ server_lookup:
if (ret == 0 && !ad_signedpath)
ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
"KRB5SignedPath check from service %s failed "
"for delegation to %s for client %s "
"from %s failed with %s",
- spn, str, cpn, from, krb5_get_err_text(context, ret));
+ spn, str, cpn, from, msg);
+ krb5_free_error_message(context, msg);
free(str);
goto out;
}
@@ -1950,6 +1988,8 @@ server_lookup:
b,
client_principal,
tgt,
+ replykey,
+ rk_is_subkey,
ekey,
&sessionkey,
kvno,
@@ -2016,6 +2056,8 @@ _kdc_tgs_rep(krb5_context context,
const char *e_text = NULL;
krb5_enctype krbtgt_etype = ETYPE_NULL;
+ krb5_keyblock *replykey = NULL;
+ int rk_is_subkey = 0;
time_t *csec = NULL;
int *cusec = NULL;
@@ -2043,7 +2085,9 @@ _kdc_tgs_rep(krb5_context context,
&e_text,
from, from_addr,
&csec, &cusec,
- &auth_data);
+ &auth_data,
+ &replykey,
+ &rk_is_subkey);
if (ret) {
kdc_log(context, config, 0,
"Failed parsing TGS-REQ from %s", from);
@@ -2056,6 +2100,8 @@ _kdc_tgs_rep(krb5_context context,
&req->req_body,
krbtgt,
krbtgt_etype,
+ replykey,
+ rk_is_subkey,
ticket,
data,
from,
@@ -2076,6 +2122,8 @@ _kdc_tgs_rep(krb5_context context,
}
out:
+ if (replykey)
+ krb5_free_keyblock(context, replykey);
if(ret && data->data == NULL){
krb5_mk_error(context,
ret,
diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c
index 8f7f3a27fb..eb757bb578 100644
--- a/source4/heimdal/kdc/kx509.c
+++ b/source4/heimdal/kdc/kx509.c
@@ -143,7 +143,6 @@ build_certificate(krb5_context context,
krb5_principal principal,
krb5_data *certificate)
{
- hx509_context hxctx = NULL;
hx509_ca_tbs tbs = NULL;
hx509_env env = NULL;
hx509_cert cert = NULL;
@@ -155,11 +154,7 @@ build_certificate(krb5_context context,
return EINVAL;
}
- ret = hx509_context_init(&hxctx);
- if (ret)
- goto out;
-
- ret = hx509_env_add(hxctx, &env, "principal-name",
+ ret = hx509_env_add(context->hx509ctx, &env, "principal-name",
krb5_principal_get_comp_string(context, principal, 0));
if (ret)
goto out;
@@ -168,14 +163,14 @@ build_certificate(krb5_context context,
hx509_certs certs;
hx509_query *q;
- ret = hx509_certs_init(hxctx, config->kx509_ca, 0,
+ ret = hx509_certs_init(context->hx509ctx, config->kx509_ca, 0,
NULL, &certs);
if (ret) {
kdc_log(context, config, 0, "Failed to load CA %s",
config->kx509_ca);
goto out;
}
- ret = hx509_query_alloc(hxctx, &q);
+ ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
hx509_certs_free(&certs);
goto out;
@@ -184,8 +179,8 @@ build_certificate(krb5_context context,
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
- ret = hx509_certs_find(hxctx, certs, q, &signer);
- hx509_query_free(hxctx, q);
+ ret = hx509_certs_find(context->hx509ctx, certs, q, &signer);
+ hx509_query_free(context->hx509ctx, q);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 0, "Failed to find a CA in %s",
@@ -194,7 +189,7 @@ build_certificate(krb5_context context,
}
}
- ret = hx509_ca_tbs_init(hxctx, &tbs);
+ ret = hx509_ca_tbs_init(context->hx509ctx, &tbs);
if (ret)
goto out;
@@ -214,7 +209,7 @@ build_certificate(krb5_context context,
any.length = 2;
spki.algorithm.parameters = &any;
- ret = hx509_ca_tbs_set_spki(hxctx, tbs, &spki);
+ ret = hx509_ca_tbs_set_spki(context->hx509ctx, tbs, &spki);
der_free_oid(&spki.algorithm.algorithm);
if (ret)
goto out;
@@ -224,21 +219,21 @@ build_certificate(krb5_context context,
hx509_certs certs;
hx509_cert template;
- ret = hx509_certs_init(hxctx, config->kx509_template, 0,
+ ret = hx509_certs_init(context->hx509ctx, config->kx509_template, 0,
NULL, &certs);
if (ret) {
kdc_log(context, config, 0, "Failed to load template %s",
config->kx509_template);
goto out;
}
- ret = hx509_get_one_cert(hxctx, certs, &template);
+ ret = hx509_get_one_cert(context->hx509ctx, certs, &template);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 0, "Failed to find template in %s",
config->kx509_template);
goto out;
}
- ret = hx509_ca_tbs_set_template(hxctx, tbs,
+ ret = hx509_ca_tbs_set_template(context->hx509ctx, tbs,
HX509_CA_TEMPLATE_SUBJECT|
HX509_CA_TEMPLATE_KU|
HX509_CA_TEMPLATE_EKU,
@@ -248,25 +243,23 @@ build_certificate(krb5_context context,
goto out;
}
- hx509_ca_tbs_set_notAfter(hxctx, tbs, endtime);
+ hx509_ca_tbs_set_notAfter(context->hx509ctx, tbs, endtime);
- hx509_ca_tbs_subject_expand(hxctx, tbs, env);
+ hx509_ca_tbs_subject_expand(context->hx509ctx, tbs, env);
hx509_env_free(&env);
- ret = hx509_ca_sign(hxctx, tbs, signer, &cert);
+ ret = hx509_ca_sign(context->hx509ctx, tbs, signer, &cert);
hx509_cert_free(signer);
if (ret)
goto out;
hx509_ca_tbs_free(&tbs);
- ret = hx509_cert_binary(hxctx, cert, certificate);
+ ret = hx509_cert_binary(context->hx509ctx, cert, certificate);
hx509_cert_free(cert);
if (ret)
goto out;
- hx509_context_free(&hxctx);
-
return 0;
out:
if (env)
@@ -275,8 +268,6 @@ out:
hx509_ca_tbs_free(&tbs);
if (signer)
hx509_cert_free(signer);
- if (hxctx)
- hx509_context_free(&hxctx);
krb5_set_error_message(context, ret, "cert creation failed");
return ret;
}
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index e016183615..9a3f254640 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -80,8 +80,9 @@ _kdc_db_fetch(krb5_context context,
ret = config->db[i]->hdb_open(context, config->db[i], O_RDONLY, 0);
if (ret) {
- kdc_log(context, config, 0, "Failed to open database: %s",
- krb5_get_err_text(context, ret));
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "Failed to open database: %s", msg);
+ krb5_free_error_message(context, msg);
continue;
}
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 0d00ef2173..7bb32eb577 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -517,7 +517,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- ret = hx509_certs_init(kdc_identity->hx509ctx,
+ ret = hx509_certs_init(context->hx509ctx,
"MEMORY:trust-anchors",
0, NULL, &trust_anchors);
if (ret) {
@@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
- ret = hx509_certs_merge(kdc_identity->hx509ctx, trust_anchors,
+ ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
kdc_identity->anchors);
if (ret) {
hx509_certs_free(&trust_anchors);
@@ -540,18 +540,18 @@ _kdc_pk_rd_padata(krb5_context context,
unsigned int i;
for (i = 0; i < pc->len; i++) {
- ret = hx509_cert_init_data(kdc_identity->hx509ctx,
+ ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
pc->val[i].cert.length,
&cert);
if (ret)
continue;
- hx509_certs_add(kdc_identity->hx509ctx, trust_anchors, cert);
+ hx509_certs_add(context->hx509ctx, trust_anchors, cert);
hx509_cert_free(cert);
}
}
- ret = hx509_verify_init_ctx(kdc_identity->hx509ctx, &cp->verify_ctx);
+ ret = hx509_verify_init_ctx(context->hx509ctx, &cp->verify_ctx);
if (ret) {
hx509_certs_free(&trust_anchors);
krb5_set_error_message(context, ret, "failed to create verify context");
@@ -618,7 +618,7 @@ _kdc_pk_rd_padata(krb5_context context,
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
unsigned int i, maxedi;
- ret = hx509_certs_init(kdc_identity->hx509ctx,
+ ret = hx509_certs_init(context->hx509ctx,
"MEMORY:client-anchors",
0, NULL,
&cp->client_anchors);
@@ -645,7 +645,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (edi->val[i].issuerAndSerialNumber == NULL)
continue;
- ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
krb5_set_error_message(context, ret,
"Failed to allocate hx509_query");
@@ -657,24 +657,24 @@ _kdc_pk_rd_padata(krb5_context context,
&iasn,
&size);
if (ret) {
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
continue;
}
ret = hx509_query_match_issuer_serial(q, &iasn.issuer, &iasn.serialNumber);
free_IssuerAndSerialNumber(&iasn);
if (ret) {
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
continue;
}
- ret = hx509_certs_find(kdc_identity->hx509ctx,
+ ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
&cert);
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
if (ret)
continue;
- hx509_certs_add(kdc_identity->hx509ctx,
+ hx509_certs_add(context->hx509ctx,
cp->client_anchors, cert);
hx509_cert_free(cert);
}
@@ -719,7 +719,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (req->req_body.kdc_options.request_anonymous)
flags |= HX509_CMS_VS_ALLOW_ZERO_SIGNER;
- ret = hx509_cms_verify_signed(kdc_identity->hx509ctx,
+ ret = hx509_cms_verify_signed(context->hx509ctx,
cp->verify_ctx,
flags,
signed_content.data,
@@ -730,7 +730,7 @@ _kdc_pk_rd_padata(krb5_context context,
&eContent,
&signer_certs);
if (ret) {
- char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
+ char *s = hx509_get_error_string(context->hx509ctx, ret);
krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
s, ret);
free(s);
@@ -738,7 +738,7 @@ _kdc_pk_rd_padata(krb5_context context,
}
if (signer_certs) {
- ret = hx509_get_one_cert(kdc_identity->hx509ctx, signer_certs,
+ ret = hx509_get_one_cert(context->hx509ctx, signer_certs,
&cp->cert);
hx509_certs_free(&signer_certs);
}
@@ -843,7 +843,7 @@ _kdc_pk_rd_padata(krb5_context context,
} else
cp->keyex = USE_RSA;
- ret = hx509_peer_info_alloc(kdc_identity->hx509ctx,
+ ret = hx509_peer_info_alloc(context->hx509ctx,
&cp->peer);
if (ret) {
free_AuthPack(&ap);
@@ -851,7 +851,7 @@ _kdc_pk_rd_padata(krb5_context context,
}
if (ap.supportedCMSTypes) {
- ret = hx509_peer_info_set_cms_algs(kdc_identity->hx509ctx,
+ ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
cp->peer,
ap.supportedCMSTypes->val,
ap.supportedCMSTypes->len);
@@ -861,11 +861,11 @@ _kdc_pk_rd_padata(krb5_context context,
}
} else {
/* assume old client */
- hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
+ hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
hx509_crypto_des_rsdi_ede3_cbc());
- hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
+ hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
hx509_signature_rsa_with_sha1());
- hx509_peer_info_add_cms_alg(kdc_identity->hx509ctx, cp->peer,
+ hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
hx509_signature_sha1());
}
free_AuthPack(&ap);
@@ -1016,7 +1016,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
hx509_query *q;
hx509_cert cert;
- ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
@@ -1024,15 +1024,15 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
- ret = hx509_certs_find(kdc_identity->hx509ctx,
+ ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
&cert);
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
- ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
+ ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
sdAlg,
buf.data,
@@ -1060,7 +1060,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
signed_data = buf;
}
- ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
+ ret = hx509_cms_envelope_1(context->hx509ctx,
HX509_CMS_EV_NO_KU_CHECK,
cp->cert,
signed_data.data, signed_data.length,
@@ -1172,7 +1172,7 @@ pk_mk_pa_reply_dh(krb5_context context,
* filled in above
*/
- ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
@@ -1180,15 +1180,15 @@ pk_mk_pa_reply_dh(krb5_context context,
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
- ret = hx509_certs_find(kdc_identity->hx509ctx,
+ ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
&cert);
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
- ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
+ ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
&asn1_oid_id_pkdhkeydata,
buf.data,
@@ -1509,7 +1509,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
goto out_ocsp;
}
- ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
+ ret = hx509_ocsp_verify(context->hx509ctx,
kdc_time,
kdc_cert,
0,
@@ -1580,9 +1580,10 @@ match_rfc_san(krb5_context context,
list.val[i].length,
&kn, &size);
if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
- "Decoding kerberos name in certificate failed: %s",
- krb5_get_err_text(context, ret));
+ "Decoding kerberos name in certificate failed: %s", msg);
+ krb5_free_error_message(context, msg);
break;
}
if (size != list.val[i].length) {
@@ -1644,6 +1645,12 @@ match_ms_upn_san(krb5_context context,
kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
goto out;
}
+ if (size != list.val[0].length) {
+ free_MS_UPN_SAN(&upn);
+ kdc_log(context, config, 0, "Trailing data in ");
+ ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ goto out;
+ }
kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
@@ -1697,7 +1704,7 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
- ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
+ ret = hx509_cert_get_base_subject(context->hx509ctx,
cp->cert,
&name);
if (ret)
@@ -1718,7 +1725,7 @@ _kdc_pk_check_client(krb5_context context,
unsigned int i;
for (i = 0; i < pc->len; i++) {
- ret = hx509_cert_init_data(kdc_identity->hx509ctx,
+ ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
pc->val[i].cert.length,
&cert);
@@ -1737,7 +1744,7 @@ _kdc_pk_check_client(krb5_context context,
if (config->pkinit_princ_in_cert) {
ret = match_rfc_san(context, config,
- kdc_identity->hx509ctx,
+ context->hx509ctx,
cp->cert,
client->entry.principal);
if (ret == 0) {
@@ -1746,7 +1753,7 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
ret = match_ms_upn_san(context, config,
- kdc_identity->hx509ctx,
+ context->hx509ctx,
cp->cert,
clientdb,
client);
@@ -1944,7 +1951,6 @@ _kdc_pk_initialize(krb5_context context,
ret = _krb5_pk_load_id(context,
&kdc_identity,
- 0,
user_id,
anchors,
pool,
@@ -1962,7 +1968,7 @@ _kdc_pk_initialize(krb5_context context,
hx509_query *q;
hx509_cert cert;
- ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+ ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
krb5_warnx(context, "PKINIT: out of memory");
return ENOMEM;
@@ -1972,13 +1978,13 @@ _kdc_pk_initialize(krb5_context context,
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
- ret = hx509_certs_find(kdc_identity->hx509ctx,
+ ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
&cert);
- hx509_query_free(kdc_identity->hx509ctx, q);
+ hx509_query_free(context->hx509ctx, q);
if (ret == 0) {
- if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
+ if (hx509_cert_check_eku(context->hx509ctx, cert,
&asn1_oid_id_pkkdcekuoid, 0)) {
hx509_name name;
char *str;
diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c
index ab844e346c..0ef9cdb7ab 100644
--- a/source4/heimdal/kdc/windc.c
+++ b/source4/heimdal/kdc/windc.c
@@ -55,7 +55,7 @@ krb5_kdc_windc_init(krb5_context context)
for (e = list; e != NULL; e = _krb5_plugin_get_next(e)) {
windcft = _krb5_plugin_get_symbol(e);
- if (windcft->minor_version < KRB5_WINDC_PLUGING_MINOR)
+ if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR)
continue;
(*windcft->init)(context, &windcctx);
diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h
index c7efb7b852..0ec8e066c7 100644
--- a/source4/heimdal/kdc/windc_plugin.h
+++ b/source4/heimdal/kdc/windc_plugin.h
@@ -72,6 +72,7 @@ typedef krb5_error_code
#define KRB5_WINDC_PLUGING_MINOR 4
+#define KRB5_WINDC_PLUGIN_MINOR 4
typedef struct krb5plugin_windc_ftable {
int minor_version;